dev-swarm-stage-archive
Pass
Audited by Gen Agent Trust Hub on Mar 13, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it reads content from untrusted local files to determine variables for system commands.\n
- Ingestion points: Project titles are extracted from the first heading of {SRC}/README.md, 00-init-ideas/README.md, or the repository root README.md (naming-procedure.md).\n
- Boundary markers: The instructions lack delimiters or directives to the agent to treat the extracted text as untrusted data.\n
- Capability inventory: The skill utilizes mkdir, git mv, and rm -rf (archive-procedure.md, submodule-detach.md).\n
- Sanitization: No validation or shell-escaping is performed on the extracted project title before it is used in the mkdir command.\n- [COMMAND_EXECUTION]: The skill executes multiple shell commands to manage the repository structure. While functional, the use of rm -rf in the submodule-detach.md file to delete git metadata (e.g., .git/modules/{SRC}) poses a risk if the directory variable is manipulated.
Audit Metadata